Hi All,tl;dr I'm hoping to be able to view all groups (with membership) and vaults (including both credentials and membership but WITHOUT being able to see/use passwords) for my entire organization. I don't strictly need to view individually managed credentials, and definitely don't need access to personal accounts.----Background: My company uses 1Password to manage individual and shared work accounts. I'm involved from a compliance role in various audits of user access in different systems, and I consistently run into a challenge reviewing access to shared accounts. For each shared account, I have to rely on other relevant team leads for:screenshot of the account/credential itself, including what vault/folder it's contained inscreenshot of the 1Password users/groups that have access to the vault/folderIf groups have access to the vault/folder, then a screenshot of the 1Password users/groups that are members of the first group (and possibly going down the rabbit hole of nested groups)Reviewing the users with access and confirming they are appropriate to continue having access (or remove, if necessary)This takes a lot of time for a compliance activity. I'm hoping to get access myself, but haven't been able to figure it out yet with my helpdesk team. Additionally, I know other teams perform similar reviews but for different systems, so I'm hoping this can be a role or group that myself and other compliance/auditor team members can have.Q1: Is it possible to get a role in 1Password that provides access to all vaults (with membership), credentials in vaults (WITHOUT being able to see/use passwords - just the credential name, system, and username/email), and groups (with membership)?Q2: Or if this access/role is not possible, is it possible to build a report that pulls this information in? I could just run the report when I'm doing this review.Q3: How are other people doing this? Am I missing something totally obvious? Appreciate anyone's response and help. Thanks!-KC

UPDATE:For anyone that may have this similar need of visibility, I wanted to provide an update from our own internal testing and from what we've been able to hear from 1Password sources. Thank you to the 1Password staff that got involved and helped answer questions!This access is possible to get through a new group (we called it "Auditors"), that is provided view access to all vaults. This required a user in with Administrator privileges in 1Password add the group to each account and specify it has view access (without password access). For us, that wasn't feasible to do via the UI due to the number of vaults, so the administrator user had to do this via a script. And this same script needs to be rerun whenever an audit is performed to ensure that the group has access to any new vaults.Same idea for groups.There currently isn't a way to have an effective report of this same information, and there isn't a default/OOTB route to getting this level of access besides the custom group with permissions.Hope this helps whoever might have this question.I had 1 suggestion for 1Password staff - I may be wrong, but the use case I laid out in the original post seems like it would be a fairly common request from established organizations using 1Password. Since the "Owners" and "Administrators" groups are enabled by default and have elevated access, having 1 additional default group ("Auditors". And always added to new groups, similar to the Owners and Administrators groups) that only has this view access seems like it wouldn't introduce any additional risk. In fact, I believe it reduce risk by enabling Compliance teams to have a straightforward and standardized approach to managing 1Password, instead of:relying on individual group/vault managers, orgetting too much access by being added to the Owners/Administrators groups, orletting 1Password be a black box and not being able to provide adequate assuranceAgain, appreciate the responses from 1Password, and hope this helps someone.

klindelof

New Contributor

2 months ago

Solved

Auditor Access (aka Global View-Only with no password access)

Hi All,

tl;dr I'm hoping to be able to view all groups (with membership) and vaults (including both credentials and membership but WITHOUT being able to see/use passwords) for my entire organization. I don't strictly need to view individually managed credentials, and definitely don't need access to personal accounts.

----

Background: My company uses 1Password to manage individual and shared work accounts. I'm involved from a compliance role in various audits of user access in different systems, and I consistently run into a challenge reviewing access to shared accounts. For each shared account, I have to rely on other relevant team leads for:

screenshot of the account/credential itself, including what vault/folder it's contained in
screenshot of the 1Password users/groups that have access to the vault/folder
If groups have access to the vault/folder, then a screenshot of the 1Password users/groups that are members of the first group (and possibly going down the rabbit hole of nested groups)
Reviewing the users with access and confirming they are appropriate to continue having access (or remove, if necessary)

This takes a lot of time for a compliance activity. I'm hoping to get access myself, but haven't been able to figure it out yet with my helpdesk team. Additionally, I know other teams perform similar reviews but for different systems, so I'm hoping this can be a role or group that myself and other compliance/auditor team members can have.

Q1: Is it possible to get a role in 1Password that provides access to all vaults (with membership), credentials in vaults (WITHOUT being able to see/use passwords - just the credential name, system, and username/email), and groups (with membership)?

Q2: Or if this access/role is not possible, is it possible to build a report that pulls this information in? I could just run the report when I'm doing this review.

Q3: How are other people doing this? Am I missing something totally obvious?

Appreciate anyone's response and help. Thanks!

-KC

best practices

vault management

klindelof
31 days ago
UPDATE:
For anyone that may have this similar need of visibility, I wanted to provide an update from our own internal testing and from what we've been able to hear from 1Password sources. Thank you to the 1Password staff that got involved and helped answer questions!
This access is possible to get through a new group (we called it "Auditors"), that is provided view access to all vaults. This required a user in with Administrator privileges in 1Password add the group to each account and specify it has view access (without password access). For us, that wasn't feasible to do via the UI due to the number of vaults, so the administrator user had to do this via a script. And this same script needs to be rerun whenever an audit is performed to ensure that the group has access to any new vaults.
Same idea for groups.
There currently isn't a way to have an effective report of this same information, and there isn't a default/OOTB route to getting this level of access besides the custom group with permissions.
Hope this helps whoever might have this question.
I had 1 suggestion for 1Password staff - I may be wrong, but the use case I laid out in the original post seems like it would be a fairly common request from established organizations using 1Password. Since the "Owners" and "Administrators" groups are enabled by default and have elevated access, having 1 additional default group ("Auditors". And always added to new groups, similar to the Owners and Administrators groups) that only has this view access seems like it wouldn't introduce any additional risk. In fact, I believe it reduce risk by enabling Compliance teams to have a straightforward and standardized approach to managing 1Password, instead of:
relying on individual group/vault managers, or
getting too much access by being added to the Owners/Administrators groups, or
letting 1Password be a black box and not being able to provide adequate assurance
Again, appreciate the responses from 1Password, and hope this helps someone.

5 Replies

klindelof
New Contributor
31 days ago
UPDATE:
For anyone that may have this similar need of visibility, I wanted to provide an update from our own internal testing and from what we've been able to hear from 1Password sources. Thank you to the 1Password staff that got involved and helped answer questions!
This access is possible to get through a new group (we called it "Auditors"), that is provided view access to all vaults. This required a user in with Administrator privileges in 1Password add the group to each account and specify it has view access (without password access). For us, that wasn't feasible to do via the UI due to the number of vaults, so the administrator user had to do this via a script. And this same script needs to be rerun whenever an audit is performed to ensure that the group has access to any new vaults.
Same idea for groups.
There currently isn't a way to have an effective report of this same information, and there isn't a default/OOTB route to getting this level of access besides the custom group with permissions.
Hope this helps whoever might have this question.
I had 1 suggestion for 1Password staff - I may be wrong, but the use case I laid out in the original post seems like it would be a fairly common request from established organizations using 1Password. Since the "Owners" and "Administrators" groups are enabled by default and have elevated access, having 1 additional default group ("Auditors". And always added to new groups, similar to the Owners and Administrators groups) that only has this view access seems like it wouldn't introduce any additional risk. In fact, I believe it reduce risk by enabling Compliance teams to have a straightforward and standardized approach to managing 1Password, instead of:
relying on individual group/vault managers, or
getting too much access by being added to the Owners/Administrators groups, or
letting 1Password be a black box and not being able to provide adequate assurance
Again, appreciate the responses from 1Password, and hope this helps someone.
- 1P_SimonH
  Community Manager
  31 days ago
  Hey klindelof,
  
  Thanks for closing the loop on this! I've added your suggestion for an auditor role to a feature request and shared it with the team.
  
  ref: PB-49374199
1P_SimonH
Community Manager
2 months ago
Thank you for your thoughtful and well-articulated post!

You’re raising an important use case that we hear from customers in compliance, security, and audit roles. While 1Password is designed with strict access controls to protect sensitive information, we understand the need for greater visibility into vault and group structures for oversight and review.

Some of what you’re asking touches on areas that would benefit from a deeper conversation, especially given the security model in place and how it aligns with your organization’s goals. We'd love to connect directly to understand your needs further and explore potential solutions or workarounds.

If you’re open to it, I’d be happy to follow up via your account’s Customer Success contact or help get the right folks looped in.

Thanks again for raising this. It’s a valuable conversation and something we’re actively thinking about as we evolve the platform.
- klindelof
  New Contributor
  2 months ago
  Hi Simon,
  Thanks for the reply! Having a deeper conversation sounds great - feel free to connect directly and we can continue the discussion!
  I'm sure some of the conversation will be organization-specific, but I'm optimistically hoping to share back here any discovered solutions (as I couldn't find any previous post that was exactly what I was looking for).
  - 1P_SimonH
    Community Manager
    2 months ago
    I've just emailed you, klindelof, to connect you to the right person. Thanks!

Forum Discussion

Auditor Access (aka Global View-Only with no password access)

5 Replies

Recent Discussions

Permit/block access to vault by IP?

Authentication gets stuck on iOS with two accounts

Company Profile Picture

Moving our business 1password to another business

1Password for Windows app keeps requiring encryption key transfer